使用JavaScript将密码随机盐化并从C#进行验证
[英]Hash password with random salt using JavaScript and validate from C#
问题描述
I want to make password maintain process strong for an asp.net web application. 
我想使asp.net Web应用程序的密码维护过程更加强大。 Please validate my idea if it is workable. 请验证我的想法是否可行。 If yes then please suggest sample code or links to implement. 如果是,请提出示例代码或实施链接。 Otherwise suggest how can I send password securely from browser to server and store in hash. 否则建议如何将密码从浏览器安全地发送到服务器并存储在哈希中。
Note: I am using TLS (SSL) already for security. 注意:为了安全起见,我已经在使用TLS(SSL)。
Steps: 脚步:
- While registering user, hash user password with random salt from JavaScript in Client browser. 注册用户时,使用客户端浏览器中JavaScript的随机盐对用户密码进行哈希处理。
- Submit form. 提交表格。
- Server side code will store the hash in database. 服务器端代码将哈希存储在数据库中。
- When user try to login, hash user password with random salt from JavaScript in Client browser. 当用户尝试登录时,使用客户端浏览器中的JavaScript从随机盐中散列用户密码。
- Submit form. 提交表格。
- Validate database stored hash with login password hash. 使用登录密码哈希验证数据库存储的哈希。 (I am thinking both hash will be different due to random salt but verification function will be able to compare it) (我认为由于随机加盐,两个哈希值会有所不同,但验证功能将能够对其进行比较)
1 个解决方案
解决方案1
4 已采纳 2018-10-01 17:39:48
This is not secure. 这是不安全的。 The hashing and salting should be a hidden implementation secret that the server provides, not the client. 哈希和加盐应该是服务器(而不是客户端)提供的隐藏的实现秘密。 Since the client has the implementation secret, should someone gain access to your database, they can reverse engineer your security model. 由于客户端具有实现秘密,因此如果有人获得对您数据库的访问权限,则他们可以对安全模型进行反向工程。
HTTPS would protect the password in transit. HTTPS将保护传输中的密码。 I would also avoid rolling your own authentication system as there are many "gotchas". 由于有许多“陷阱”,我也避免使用自己的身份验证系统。 ASP.NET both Framework and Core provide strong patterns and implementations for authentication. ASP.NET Framework和Core都提供了强大的身份验证模式和实现。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.